Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 afad9a35889668f9…

MALICIOUS

Office (OLE)

713.5 KB Created: 2017-07-11 23:40:00 Authoring application: Microsoft Office Word First seen: 2018-03-04
MD5: 929c1810b2a8867e1db7af78d8c72143 SHA-1: 68c76a0ea799af57fe65e934263e4ad39f98623d SHA-256: afad9a35889668f90ef1049d19e5ee2e082e0be7fa7cd317bab60783c4201051
500 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1137.001 Office Application Build T1203 Exploitation for Client Execution

This OLE document contains an embedded PE executable, identified by ClamAV as Win.Trojan.Agent-6332738-0. The presence of Metasploit shellcode and references to WinExec, VirtualAlloc, LoadLibrary, and GetProcAddress APIs strongly indicate that the embedded executable is a reverse shell payload. The document's structure suggests it's designed to deliver this executable to the user.

Heuristics 10

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Win.Trojan.Agent-6332738-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-6332738-0
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    000549B8  fc                cld
000549B9  e882000000        call 0x54a40
000549BE  5f                pop edi
000549BF  5e                pop esi
000549C0  5b                pop ebx
000549C1  8be5              mov esp, ebp
000549C3  5d                pop ebp
000549C4  c3                ret
000549C5  8d4000            lea eax, [eax]
000549C8  53                push ebx
000549C9  56                push esi
000549CA  8bd8              mov ebx, eax
000549CC  3b5324            cmp edx, dword ptr [ebx + 0x24]
000549CF  7436              je 0x54a07
000549D1  8bf2              mov esi, edx
000549D3  85f6              test esi, esi
000549D5  7518              jne 0x549ef
000549D7  33c0              xor eax, eax
000549D9  8a4318            mov al, byte ptr [ebx + 0x18]
000549DC  8b0485f06c4600    mov eax, dword ptr [eax*4 + 0x466cf0]
000549E3  50                push eax
000549E4  a19cf94600        mov eax, dword ptr [0x46f99c]
000549E9  8b00              mov eax, dword ptr [eax]
000549EB  ffd0              call eax
000549ED  8bd0              mov edx, eax
000549EF  895324            mov dword ptr [ebx + 0x24], edx
000549F2  c6434401          mov byte ptr [ebx + 0x44], 1
000549F6  8b4304            mov eax, dword ptr [ebx + 4]
000549F9  e8ba060000        call 0x550b8
000549FE  85f6              test esi, esi
00054A00  7505              jne 0x54a07
00054A02  33c0              xor eax, eax
00054A04  894324            mov dword ptr [ebx + 0x24], eax
00054A07  5e                pop esi
00054A08  5b                pop ebx
00054A09  c3                ret
00054A0A  8bc0              mov eax, eax
00054A0C  3b5028            cmp edx, dword ptr [eax + 0x28]
00054A0F  7413              je 0x54a24
00054A11  895028            mov dword ptr [eax + 0x28], edx
00054A14  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004484.exe embedded-pe Office MZ+PE at offset 0x4484 713084 bytes
SHA-256: 76a2fc60b81d9d9717693fa316daeead1d27b8193f23c63a8cb14c1388cd2c12
Detection
ClamAV: Win.Trojan.Agent-6332738-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess, kernel32.dll, KERNEL32.DLL
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1561325202/Ole10Native 708974 bytes
SHA-256: f2f8ba0e50d0861d29b4eb35cf3e939290a27a0b40df08ff1e2f99e41f22bebe
Detection
ClamAV: Win.Trojan.Agent-6332738-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess, kernel32.dll, KERNEL32.DLL

Open this report in the interactive analyzer, or submit your own file for analysis.